CVE-2026-4326
Received Received - Intake
Missing Authorization in Vertex Addons Plugin Enables Arbitrary Plugin Activation

Publication date: 2026-04-09

Last updated on: 2026-04-09

Assigner: Wordfence

Description
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails β€” it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-09
Generated
2026-05-07
AI Q&A
2026-04-09
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4326
EUVD
EUVD-2026-20825
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vertex addons_for_elementor to 1.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated attackers with Subscriber-level access and above to install and activate arbitrary plugins due to missing proper authorization enforcement. This can lead to unauthorized changes and potential compromise of the WordPress environment.

Such unauthorized access and control over the system could result in violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

However, the provided context does not explicitly state the direct impact on compliance with these standards.


Can you explain this vulnerability to me?

The Vertex Addons for Elementor plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 1.6.4. This happens because the function activate_required_plugins() does not properly enforce authorization. Although it checks if the current user has the 'install_plugins' capability, it does not stop the process if the check fails. Instead, it only sets an error message but continues to execute the plugin installation and activation code. As a result, authenticated users with Subscriber-level access or higher can install and activate arbitrary plugins on the WordPress site.


How can this vulnerability impact me? :

This vulnerability can have a severe impact because it allows attackers with low-level access (Subscriber or above) to install and activate any plugin they want on the WordPress site. This can lead to full compromise of the site’s confidentiality, integrity, and availability, as indicated by the high CVSS score (8.8) with high impact on confidentiality, integrity, and availability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart